Slashdot Mirror
What's Now State of the Art in Encryption Technology?
One thing about encryption: the easier it is to do, the more people there will be using it. For the non-tech user, encrypting messages on a day-to-day should be no more complex than 3 steps.
JPMH asks:"First journalists and now even relatively clued-up politicians in the UK are talking about making it an offence to use strong encryption in email and web-pages. An obvious counter is that this won't work, because the messages can easily be hidden using Steganography (Slashdot Jan 2, May 8). But that assumes that the steganography itself is good enough not to be detected. Is this true? How good is the state of the art?
To be undetectable, the properties of the 'message' bits you are putting in must be statistically indistinguishable from the 'image' bits you are overwriting. According to a paper by Neils Provos and Peter Honeyman of U. Michigan (highlighted today in the Register) the simplest common programs, such as JSteg and JPHide, fail this test badly and are easily detected. But they failed to nail any confirmed steganographic content in 2 million images on EBay.
Other programs (eg Provos's Outguess 0.2) are more sophisticated at hiding the messages (and other media eg MP3s give a bigger haystack to hide them in); but on the other hand, more sophisticated statistical models of images (eg Slashdot 16 Aug) may be better at making the 'hidden' content stand out.
So, can messages reliably be hidden? Or will people trying to hide their messages in a reliable manner get caught?"
> > Hey dude, I just computed Pi with some
> > home-brewed code, can you check if I got it right?
> >
> > Pi = 3.149018493227539874383983749210025
>
> Hey pal, I think that you need some code tweaking, I get:
>
> Pi = 3.14151747701120741294729382749277
>
I did some tweaking. Now I get:
Pi = 3.141649287392847283785938472901018401
Am I making progress?
Or, you could hide steg messages in what looks like Sircam virii - just change the words a bit, move a space or two or even mess with the attached files.
There's so much data on the Net today that it's not even funny anymore and lots of it is metadata (Napster login names, tcp packet TTLs, file lengths and the naming of cats on personal homepages spring to mind) so you wouldn't even have to bother using a book cipher or pre-set code phrases like "Buy two quarts of milk on the way home, dear" which of course means "ram two commercial jets into tall buildings before breakfast".
I don't really understand why anyone bothers, unless it's to catch the really stupid terrorists, the ones that failed Terrorism 101 by not being able to scare the kindergarten kids next door out of their lunch money. Or, to watch over the general populace...
The point is that you can find hidden messages, faces on Mars and backwards satanic messages everywhere if you look hard enough, but it's impossible to find real messages that's been hidden good enough. Just deal with it.
Money for nothing, pix for free
There is a form of encryption that will always be secure with one exception. Conversations that are based on prior conversation will always be secure, unless the prior conversation was recorded.
Because computers have such a difficult time with semantics this means that a human will have had to have heard the original conversation in order for detection of the "encryption" and its meaning. This is why tracking criminals is such a difficult task. Until we can get computers to understand and infer semantics, and then record ALL conversations, there will be no way to decode all transmissions. As I am sure that many on this forum will agree, this is most likely not going to happen in the near future. This is why undercover work is so important.
To give an example, if I were to say the word "Fjornborgi" to a complete stranger (as most of you are) he would have no idea what I was talking about. On the other hand, if I say that to my brother-in-law, he knows exactly what I am saying and why. This is because we have a history of conversations where the word "Fjornborgi" has been discussed and defined.
As for computed encryption, with RSA no longer under patent and many very good mathemeticians coming up with interesting functions everyday, I see it being more and more difficult for government to monitor and control information. I don't see this as a bad thing, since it gives the citizens of the world more freedom to express their ideas to their audiences in a secure way. There is little fear of being overheard when not desired. Of course, many will abuse the priviledge, but that has been the case for centuries and not a new problem that has shown up just because of encryption.
Ok, I'll admit I'm biased, but I think the next phase in the developing landscape of encryption is universal access to cryptography. I'm not talking about putting PGP on FTP servers, I'm talking about making hard crypto available to my mother.
To this end, I've started the PPS, which is a project devoted to transparent, universal email encryption. The goals are complex, since they are aimed at so many audiences, but you can browse the site and get an idea. If you find it to your liking, please drop me a line and sign up to help.
You don't have to have technical skills. I need proof-readers, coders, researchers, and more. The reference code is not nearly as important as getting the specification done and doing all of the research needed to get the various MUA vendors to sign on.
You make a very intersting point that will no doubt be lost on most of the Slashdot audience (as well as yourself I suppose)
Airplanes;
Dynamite;
Plastic Explosives;
Fertilizer chemicals;
Telephones and other communication equipment;
Knives; and
Boxcutters
Are all heavily regulated already. Some directly like explosives and airplanes, and others indirectly like phones and knives.
Why should strong encryption be different? Just about any tool you can think of has good uses and bad uses. That doesn't mean we should ban the tools, but we should try to minimize their use for purposes contrary to the common good.
Does it violate some inalienable right that you cannot walk into walmart and by C-4 off the shelf? Certainly you have some harmless use for it. Should convicted felons be allowed to carry firearms on the street?
Wake up to the real world people. The fact that we live in a society means that we voluntarily give up certain freedoms for the common good. That is the decision that groups of people make when they get together and form governing bodies.
You cannot simple say banning==bad freedom==good unless your definition of good is anarchy. Do we all agree that the ban on murder is good? Even though it takes away my right to express myself with creative killing?
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Interesting. In a world where backdoors are required, I suppose that the h4x0rs (like your clients, or the PRC govt, say) would find them pretty easily.
sulli
RTFJ.
First, share a one-time pad. This is very easy using steganography: you just choose an image on the internet and a time and agree to seed a pseudo-random number generator with that to get your pad. Encrypt your message by XORing it with the one-time pad. Your encrypted message is now indistinguishable from random noise, assuming your PRNG is good.
Then, you need a data file where noise is expected. Using low-order bits is no good unless you have pictures where the low order bits are actually random, rather than containing no information. One possibility is to take a photograph and make it a GIF or PNG; the lowest order bits that your camera actually produces are probably noise, and will be present in the image.
Replace the input noise with your special noise. The resulting image is now perfectly plausible (your camera could have taken it if some photons happened to land differently, with the same probability as having taken the photo it did take), and the message cannot be read or distinguished from noise unless the codebreaker knows what image you agreed on.
In order to do this, you and the recipient have to agree on an image you control and another image. Having done this, you can, of course, agree on more images later, for communications in both directions. Make sure you both look at a lot of images, including a lot that everyone looks at (e.g., CNN).
And then your recipient looks at the message on his CRT, and the spies read it in the EM radiation. Good thing you weren't saying anything they care about, but why did you bother with all the encryption, then?
Indeed - and I even agree with him. However, he did not say the entire book is wrong, actually, the algorithms and protocols are very, very correct and useful. He said his statements about encryption being capable of solving all problems and being a sort of Holy Grail are wrong. Encryption by itself is not the answer, it's not even the beginning of the answer.. As I said, Secrets and Lies is far more interesting...
By focusing on the PEOPLE USING THE TOOLS, you get to the root of the problem. Eliminate the problem at its source by bringing these people to meaningful justice, and it will not matter what their tools of choice are - you will have eliminated the problem, not the symptom.
Remember - if terrorists followed laws, we wouldn't have to worry about them.
Laws affecting technology will always be bad until enough techies become lawyers.
That's akin to asking, "What are the legitimate uses of a car for those who don't know how to drive?" By the very definition, people who want or need to hide things need a way to hide them - hence, encryption.
However, the implicit statement in your post is that "need to hide" = "crime". Do me a favor. Since you seem so adverse to hiding things, write your name, social security number, all of your credit card numbers, your address, phone number, the names of your children and significant other, your license plate number, and the names/dates of up to the first ten people you have had sex with on ten thousand postcards. Then attach photocopies of a dozen documents from your workplace marked "Confidential," and then send them to the first ten thousand people in your nearest phone book or yellow pages.
Don't want to? Gee, why not? Maybe you have something you want to hide. Maybe you don't want other people invading your personal privacy? Maybe you don't want other people reading documents that could give your competition a leg up on your business? Oh, wait, maybe there's a good reason for encryption. Not because I'm trying to hide any criminal wrong-doing, but because I don't want people to know more about me than they have to. Because not every Joe Blow needs to have easy access to my personal information, or the things I would like to keep as personal knowledge and not general knowledge.
When the ability to keep a secret - ANY SECRET - becomes a crime, you'll know that America has become just as bad as Afghanistan or similar countries.
Seriously though, if you are highly technically savvy (which I will assume since we are speaking about the state of the art) then you can not only create near unbreakable encryption, but near undetectable (or untraceable) encryption. Steganography is a child's toy compared to some of the things that are possible. The internet is a vast 86,400 / 365 information sea, slipping a few megabytes of low profile data into it is going to be hard to notice. By utilizing multiple techniques at the same time (hard encryption, low signal to noise ratio channels, low detectability communications, difficult traceability, etc.) you can be confident that even if someone found your data they would not be able to understand it or extract useful information from it.
For example, let's say you want to send data to someone else. Let's say it's a short text message, though it could be anything up to gigabytes of data without too much trouble. The sender encrypts the text using public key cryptography with a large key (4096-bits or larger), then breaks the encrypted message into several really small chunks, then uses a program to generate thousands of fake chunks. Then, using a sequence of hacked ISP and shell accounts (preferably spanning the world), the sender embeds this "chunk stream" into some nondescript form of communication. Let's say they use a large number of spam messages, or pornographic multimedia posted to a highly trafficked usenet newsgroup over several days and a simple steganographic technique for the embeddding. The receiver downloads the source files, extracts the "chunk stream", selects out the valid chunks, then decrypts the data.
Let's say that Los Federales were able to detect that something funky was going on. That alone, in the firehose of the internet, is a significant challenge. They would need to first be able to extract the data from the embedding system. Not impossible, but difficult. Next they would need to cull out the invalid chunks in the pile they now have. This can be made as difficult a problem as breaking hard-encryption in and of itself. If they manage to wade through that mountain of sludge, they end up faced with near unbreakable encryption. For added fun, repeat some of the steps multiple times! (for example, double encryption, double stage steganography, etc.), preferably with different techniques for each iteration (encryption cycle 1 uses RSA, while cycle 2 uses elliptic curves, etc.)
Or, you could take the route the US has taken since before WWII and use one time pads. One time pads are provably cryptographically secure (if you don't have the key you simply CAN'T break the encryption). The only difficulty is distributing the keys.
Nevertheless, I would imagine that the main goal these days would be low-detectability rather than pure cryptographic security. If they can't find your pigeon in a flock of wild birds then they very well can't even try to decrypt the message it carries. There is a LOT of noise on the internet, that provides a huge amount of hiding space.
Seriously, this is a scenario which (although maybe a -little- OTT) is unfortunately all too believable. Certainly, we're seeing increased restrictions and laws designed to control through fear, rather than through a mutual wish to live in a complex society.
As for information...
(Hands up all who know where the first NATO battle was fought, in the current conflict, in Afghanistan? You didn't even know there -had- been one? Wow, talk about being kept up-to-date!)
The US COnstitution is severely weakened, through current spin-doctoring. I would fully expect that polls would show more than 50% of US Citizens would be willing to have the Constitution suspended, at a time of extreme national crisis.
After that, it wouldn't be too difficult to simply modify how "extreme national crisis" is defined, to make it indefinite. Once that happens, you'd think the current state of things was paradise.
The British aren't innocent of this, either. Carefully-worded polls, with sufficient spin on the results, has all but convinced the British Parliament to establish national ID cards. Something rejected almost unanimously by both politicians and public since the 1950's. There has been no threat imaginable or imagined that could overshadow the deep understanding the British had of how dictatorships, such as the Nazis, rose to power.
(Absolute control of the media is a big one. Cable "broadcasts" were prohibited by Parliament, from the mid 1940's, because of the danger it would pose if a dictator were ever able to sieze control of it. The listening to alternative views would be impossible. Resistance of any kind would be impossible.)
But what's happening in the US? We have two types of news coverage - the semi-neutral, with some US bias, and the screaming fanatics. Opposition view points, including those of the Pope, barely get a mention, even in the most neutral of coverage. Remember, this is the Pope we're talking about, not Art Bell. He's the leader of one of the largest Christian organizations in the world, and he's probably more important to Catholics everywhere than any political leader.
Yet President Bush has effectively made the Pope an enemy of the state. After all, he's obviously not "with us", so he -must- be against us. Doesn't it follow? Bush said so, so it must! President Bush has also effectively declared war on the Vatican, since it certainly harbours people who have commited acts of terror, and it's not going to stop doing so, simply because some wannabe superstar says they should.
Switzerland is also a prime target. It defends its neutrality fiercely, and it has almost certainly made for a good refuge for those who have, ummm, outstayed their welcome in other countries.
Argentina is a third. There's no question that many Nazi war criminals fled there, after the war, and those who haven't died of old age are probably still there.
Invading the Vatican might cause jitters only to those with a Christian mind-set, though given that this allegedly includes George Bush, some might question who's the boss, in his mind.
Invading Argentina probably won't bother anyone much. The British would probably help.
Invading Switzerland might have caused an outcry, under normal times. But if the US successfully overthrows at least two other countries first, I suspect that nobody will really notice or care. The endless war will be "part of life" and "the way things are".
I honestly don't know which is scarier - to contemplate how the future could be on the home front, or how it could end up internationally. Both futures are gloomy.
What I want to know is this -- We've found Carpathia, and he seems to be doing as well in real life as he did in the books, both in manipulation and in starting wars. No disappearances, though, which is a bit worrying, if you think about it, and no opposition. How long before the rest of the series starts to hit? MINUS any "good guys"?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ignoring some of the humour value, I hope someone in the media makes a bit of noise about the fact that making strong encryption have backdoors has no effect at all on the use of other methods like pre-exchanged one time pads and the use of little-known languages.
That aside as well, who's going to force the terrorists to use the state-approved software in the first place? That's what I thought....
- Michael T. Babcock (Yes, I blog)